Google responds to European questionnaire on new privacy policy

Google's Global Privacy Counsel Peter Fleischer answered some of the questions on Thursday, and again reminded CNIL that Google had asked on several occasions to meet to discuss privacy matters.

Loek Essers
April 6, 2012

IDG News Service

Share

Twitter

Facebook

LinkedIn

Google has responded to questions from European privacy regulators about its new privacy policy, but only managed to answer 24 of the 69 questions, according to a copy of the letter published by Google on Thursday.

The Article 29 Working Party, the umbrella organisation for Europe's privacy regulators, twice asked Google to delay the launch of its new privacy policy, saying that it breaches EU privacy laws. The terms took effect in March, and aim to impose the same privacy policy on all Google's services. After Google denied the request to postpone the policy's introduction, the French National Commission on Computing and Liberty (CNIL), acting on behalf of the working party, sent Google a 12-page questionnaire comprising 69 privacy-related questions that concerned the Commission.

Google's Global Privacy Counsel Peter Fleischer answered some of the questions on Thursday, and again reminded CNIL that Google had asked on several occasions to meet to discuss privacy matters. He repeated that Google was not willing to halt the policy's introduction because the request came after a lengthy campaign informing users about the changes, and delaying introduction of the new rules would have confused users.

While Google said it rolled out the largest information campaign in its history to inform users about the policy changes, the company failed to provide the CNIL with figures about the effect of the campaign. Google was not able to provide unique visitor statistics for the dedicated privacy main site and its localised versions. Fleischer pointed out that the Google privacy site is only one of many different mechanisms Google uses to disseminate privacy information. Google was not able to explain why it could not provide statistics for the privacy landing page, since its London office is closed for the Easter holiday.

Retention of data backups not clear

Google also failed to provide details of its data backup regime. The company was asked to explain why its policy says that it may not remove information from backup systems when the user asks for its deletion. While the company said it would delete users' personal information upon request, it said Google's backup and retention policies are set to take into account users' interest in security and business continuity.

When asked if this means that Google will actually delete data from all backups upon request after an additional period of time, Google responded: "Google has documented policies and processes covering deletion of user data from back-up tapes." It is impossible to provide an upper bound to the additional retention period needed to delete data from all backups, because that time varies from case to case, the company added.

Google also failed to specify the maximum additional retention period for data deleted by authenticated users, although it did say that its unspecified backup and retention policies "would, for example, enable us to restore a maliciously deleted user account."

While Google answered the first 24 questions, there remain 45 questions still to be addressed. According to Fleischer, Google wanted to answer the questions about its new privacy policy first and will answer the rest at a later stage.

PREF and DoubleClick cookies

The unanswered questions cover topics including the comparison between Google's terms of service and the new privacy policy, the legitimacy of data connections between services and further changes to general rules. One question asked why the sentence "For certain services, we may give you the opportunity to opt out of combining such information," present in the old privacy policy, was removed in the new one. Google was also asked to indicate which cookies are strictly necessary to provide a service "explicitly requested" by the user and why they are necessary.

The privacy regulators are particularly interested in the so-called "PREF" cookie and in the DoubleClick cookie, used for serving ads. Google explained in the first batch of answers that the PREF cookie is used to store user preferences and other information such as preferred language, how many search results users wish to have shown per page and whether the SafeSearch filter should be switched on.

CNIL has started a legal and technical analysis of Google's answers, its communications officer Elsa Trochet-Macé said in an email on Friday.

"We first needed to send our questionnaire and receive written answers before meeting Google," she said, adding that there could be a discussion with Google and the Article 29 Working Party later.